Data Classification

PURPOSE
The purpose of this guideline is to establish a framework for classifying institutional data based on its level of sensitivity, value and criticality to the University as required by the University’s Information Security Policy. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Classification of data should be performed by the appropriate data owner.  Further standards, guidelines and recommendations will specify handling requirements for data based on its classification. 

SCOPE
The guideline applies to all data or information that is created, collected, stored or processed by the University, in electronic or non-electronic formats.  In particular, this guideline applies to all departments/data owners who are responsible for classifying and protecting institutional data.

RECOMMENDATIONS AND GUIDELINES
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization.  All institutional data should be classified into one of three sensitivity levels, or classifications: 

A. Confidential Data
Data should be classified as Confidential when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University.  This includes data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Confidential data.

B. Private Data
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University.  By default, all institutional data not explicitly classified as Restricted or Public data should be treated as Private data.  A reasonable level of security controls should be applied to Private data.

C. Public Data
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University.  While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

1.0 Determining Classifications
Data owners should use the table here as a reference in determining classification of data. Data types that have classifications mandated (due to applicable laws, regulations or contracts) and those that are in common use throughout the university are included. For assistance in determining an appropriate classification or to add a new data type, send your request to InfoSec@bryant.edu .

2.0 Data Collections
Data owners may wish to assign a single classification to a collection of data that is common in purpose or function.  When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used.

3.0 Reclassifications
It is important to periodically reevaluate the classification of institutional data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the University. This evaluation should be conducted by the appropriate data owner.  The data owner should determine the appropriate frequency of review.  If a data owner determines that the classification of a certain data type has changed, an analysis of security controls should be performed by the data custodian to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.

4.0 Enforcement
The University considers any violation of the directives outlined within this document to be an objectionable offense. Failure to comply may subject the violator to disciplinary or legal action by the University.

5.0 Exceptions
Any exceptions to directives outlined within this document are to be reviewed and approved by the Information Security Program Committee as needed.

6.0 Enacted and Revisions
Date Enacted: 11/7/2011
Revision: 2.1
Last Reviewed: 10/24/2016
Next Review: October 2017

7.0 Standards and Reference Categories
ISO 27002: 7.2 – Information Classification
PCI DDS 2.0: 3.1